Archives
-
Troubleshooting: IIS 6 Status and Substatus codes
I thought it would be a great idea to write this down as an entry.The information that I am going to share now has helped me to troubleshoot a majority of cases I have had on IIS.
Lets start by understanding what are status and sub states codes.
Everytime IIS receives a request, if IIS logging in enabled, IIS logs the request into a Log file. In IIS 6 logging in enabled by default however in IIS 7 it's a choice.
To a beginner, the common questions that arise at this point are,
Q.) How do we drill down to the logs of an appropriate website?
A.) Here is how you do it.
By default,In IIS 6 logs are stored at C:\windows\system32\LogFiles\
Once you get to this location you would be seeing entries like this W3SVC1, W3SVC87257621.
In IIS 7 the location would be C:\inetpub\logs\logfiles\
Q.) What do these entries mean?
A.) W3SVC stands for website and 1 or 87257621 stands for the unique identifier that is associated with a particular website.
Q.) How do you know which identifier is associated with which website?
A.) Goto, Inetmgr -> click on Web Sites and take a look at the right hand side screen ... And there you have it the Identifier column. This identifier is unique and no 2 websites have the same identifier. Even if you delete and recreate the same website you will notice that the website identifier is different.
Once you go into the log folder you will see logs depending on the format you have chosen. By default in IIS 6, they are daily. And the log filenames are in the format exYYMMDD.log ... (ROVASTAR, thanks for the inputs)
A typical Log information for a request would look something like this ....2008-04-11 20:39:48 127.0.0.1 GET /test/1.asp - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2; +.NET+CLR+1.1.4322) 200 0 0
2008-04-11 20:40:04 127.0.0.1 GET /test/1.asp - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2; +.NET+CLR+1.1.4322) 404 2 1260
In the above example I have highlighted the Status Code and the Sub-Status code ... In the first case we have the values as 200 0 where in the status code is 200 and the sub status code is 0. 200 status code stands for "Request ok." Therfore, just by a look at the log we can determine that the request was served properly by IIS.... Moving on to the next example the 2 numbers are 404 and 2 , where in 404.2 means that the page could not be displayed because "Web service extension lockdown policy prevents this request."
See how easy it becomes once you understand the meaning of the status codes along with the help of sub-status codes!Tip:If you don't get any thing much out of this information. Browse the page with the Show Friendly Http Error Messages unchecked.
Here's a list of status codes and substatus codes along with their meanings. Let me know if I have forgotten any :)
To do that go to IE -> Tools -> Internet Options -> Advanced -> Browsing
Broadly they are classified in this format:Status Code Range Type of Code 100 Informational 200 Successful 300 Redirection 400 Client Error 500 Server Error
Below is the table giving you in detail information:Status Code Sub-Status Code Explanation 100 - Continue 101 - Switching pools 200 OK. The clinet request has succeeded 201 - Created 202 - Accepted 203 - Non-authoritative information 204 - No content 205 - Reset content 206 - Partial content 301 - Permanent Redirect. 302 - Object Moved 304 - Not Modified. 307 - Temporary redirect. 400 - Cannot resolve the request/Bad request. 401 x Unauthorized. 401 1 Access is denied due to invalid credentials. 401 2 Access is denied due to server configuration favoring an alternate authentication method. 401 3 Access is denied due to an ACL set on the requested resource. 401 4 Authorization failed by a filter installed on the Web server. 401 5 Authorization failed by an ISAPI/CGI application. 401 7 Access denied by URL authorization policy on the Web server. 403 x Access is denied. 403 1 Execute access is denied. 403 2 Read access is denied. 403 3 Write access is denied. 403 4 SSL is required to view this resource. 403 5 SSL 128 is required to view this resource. 403 6 IP address of the client has been rejected. 403 7 SSL client certificate is required. 403 8 DNS name of the client is rejected. 403 9 Too many clients are trying to connect to the Web server. 403 10 Web server is configured to deny Execute access. 403 11 Password has been changed. 403 12 Client certificate is denied access by the server certificate mapper. 403 13 Client certificate has been revoked on the Web server. 403 14 Directory listing is denied on the Web server. 403 15 Client access licenses have exceeded limits on the Web server. 403 16 Client certificate is ill-formed or is not trusted by the Web server. 403 17 Client certificate has expired or is not yet valid. 403 18 Cannot execute requested URL in the current application pool. 403 19 Cannot execute CGIs for the client in this application pool. 403 20 Passport logon failed. 404 x File or directory not found. 404 1 Web site not accessible on the requested port. 404 2 Web service extension lockdown policy prevents this request. 404 3 MIME map policy prevents this request. 404 4 No handler was found to serve the request. 404 5 The Request Filtering Module rejected an URL sequence in the request. 404 6 The Request Filtering Module denied the HTTP verb of the request. 404 7 The Request Filtering module rejected the file extension of the request. 404 8 The Request Filtering module rejected a particular URL segment (characters between two slashes). 404 9 IIS rejected to serve a hidden file. 404 10 The Request Filtering module rejected a header that was too long. 404 11 The Request Filtering module rejected a request that was double escaped. 404 12 The Request Filtering module rejected a request that contained high bit characters. 404 13 The Request Filtering module rejected a request that was too long (request + entity body). 404 14 The Request Filtering module rejected a request with a URL that was too long. 404 15 The Request Filtering module rejected a request with a too long query string. 405 - HTTP verb used to access this page is not allowed. 406 - Client browser does not accept the MIME type of the requested page. 407 - Initial proxy authentication required by the Web server. 412 - Precondition set by the client failed when evaluated on the Web server. 413 - Request entity too large. 414 - Request URL is too large and therefore unacceptable on the Web server. 415 - Unsupported media type. 416 - Requested range not satisfiable. 417 - Expectation failed. 423 - Locked error. 500 x Internal server error. 500 11 Application is shutting down on the Web server. 500 12 Application is busy restarting on the Web server. 500 13 Web server is too busy. 500 14 Invalid application configuration on the server. 500 15 Direct requests for Global.asa are not allowed. 500 16 UNC authorization credentials are incorrect. 500 17 URL authorization store cannot be found. 500 18 URL authorization store cannot be opened. 500 100 Internal ASP error. 501 - Header values specify a configuration that is not implemented. 502 - Bad gateway. 503 - Service unavailable. 504 - Gateway timeout. 505 - HTTP version not supported.
Hope this helps! ;) -
IIS 6 Authentication vs Authorization
I have been wanting to write a blog on this topic like forever. Finally I have got down to write down the brief explanation.
IIS 6 authentication is of different types and is capable of delivering the needs of various scenarios.This blog is going to provide you with the best way to learn concepts of IIS 6 authentication.
Well from then on, it depends on how you want to take this article too. Put down your comments and I will try and stitch the various questions to another blog on this topic. I am pretty sure IIS authentication raises a lot of questions in the mind of the reader. So here it goes.
The 2 concepts which often confuses a lot of people are - authentication and authorization. Lets start by 1st differentiating them
Authentication is the process of obtaining credentials from the users and using those to verify the user's identity. These credentials can be received in many ways and can be of many types. Whereas, Authorization is the process of allowing an authenticated user access to resources.For example, in IIS 6 if you use Basic Authentication then the username and password are transmitted over the network in plain text format.
Lets understand this with the help of an example. I am going to consider that we are working with anonymous access. The usual misconception that people have is that with Anonymous access everyone can view anything on the server. Well that is not true!
Authentication always precedes Authorization; even if your application lets anonymous users connect and use the application, it still authenticates them as being anonymous.
Assume, if the authenticated user does not have privileges on the content that is to be viewed, the user is not authorized to view the content.The important point to understand here is that the user is never the less still authenticated.
The different types of Authentication available in IIS 6 are:
(For the sake of me not typing duplicate material, I have given the appropriate links which explains the phenomenon the best ;) )- Anonymous Authentication. (Microsoft Explains)
- Digest Authentication for Windows Domain Users. (Microsoft Explains)
- Integrated Windows Authentication. (Microsoft Explains)
- Basic Authentication. (Microsoft Explains)
- .Net Passport authentication. (Microsoft Explains)
Incorrect settings may lead to certain errors depending upon the configuration that may have gone wrong. But mostly you may come across a 401.x or 403.x errors. For description on these errors view my previous blog on understanding the status and substatus code
Will be coming about with a few more articles on IIS authentication in the near future. Just need to decide how to go about it :D